Over two-thirds of schools installed special software on school computers to spy on their pupils, responses to Freedom of Information requests have revealed.

According to a report by Big Brother Watch, "classroom management software" is running on over 800,000 computers, laptops, and mobile phones found in 1,000 secondary schools across England and Wales. A whopping £2.5 million has been spent on the programs.

Further Reading

Classroom management software allows the screens of an entire class to be monitored from a teacher's desktop, and for both the historical and real-time Web activity of a pupil to be accessed. Keystrokes can be watched, and alerts created to flag up "inappropriate" words. More generally, the systems can try to spot "bad" behaviour online, including signs of "extremism and radicalisation."

The software is also marketed as a way schools can tackle the problems of cyber-bullying, sexting, self-harm, or as a way of identifying pupils who may be having suicidal thoughts. The words pupils type whilst using a device can be monitored and run against a 'keyword abuse library' to flag issues of concern.

Schools are advised to issue "acceptable use" policies that are signed by pupils or their parents to confirm they are happy for this form of computer surveillance to be carried out. However, Big Brother Watch says that only 15 percent of the 1,000 schools that responded to its FoI requests provided their acceptable use policy.

Of those 150 schools, only 10 percent of the acceptable use policies mentioned the software that was being used, and then, the privacy campaigners said, "in very basic terms, such as 'I know that the school can remotely monitor what I can do on the computers', or more intimidating language was used, with a couple of schools warning students that they are 'NOT invisible' or that they are 'being monitored'. This is not only inappropriate but in most cases the schools are failing to adhere to data protection law."

Data protection is likely to become even more of an issue for schools in the future given the European Union's incoming General Data Protection Regulation. As the report noted: "By May 2018 any organisation handling data must ensure they inform the individual exactly why their data is being gathered, used, shared, or monitored. Only then can the individual be sure to have given their informed consent to the use of their personal data."

Big Brother Watch is also concerned about the security of class management programs: "the safety of children isn’t solely about protecting them from searching for, viewing, or typing inappropriate words and images," it said. "It also involves ensuring that the personal information held about them and their education is properly secured."

Further Reading

The report also notes a more insidious danger the routine deployment of classroom spyware could engender: coupled with the use of CCTV and biometric systems, it argues that there's a risk that spying on children could be seen as normal behaviour.

Ars sought comment on the report from the department for education. "Schools have a responsibility to keep pupils safe, including online, and schools should use appropriate filters and monitoring systems to protect children from harmful material," a spokesperson said. "How individual schools decide to do this is rightly a matter for the school, engaging with pupils and parents as appropriate."

Putting the particular software / capabilities that the article is griping about to one side for a moment: we damn well should teach kids (and adults) that their internet may be being monitored and that they should assume that anything they do can be traced & have consequences - because a) whether we like it or not, that's the world we now live in; and b) perhaps teaching kids from an early age that the Internet Cloak of Anonymity isn't as all-powerful as they might think may make the internet less of a cesspit than it currently is.

I remember in high school we had a program "LAN School Monitor" that popped up when you logged in saying it was being monitored. They could do an overview, full screen view of 1 student, remote-control, lock keyboard/mouse/monitor, and push out video over top of what you were doing. At one point I wondered what it could do so I googled the company that was in the pop-up warning and found their website...being unable to figure out how to navigate I tried adding "/downloads" to the URL and ended up getting in trouble for finding all the manuals, trials, and full-versions of all the software and the school thought their server got hacked they refused to believe it was all just "out there" on the web for anyone to find. You knew you were being watched because the mouse would "flicker" when it was polling the screen. We also learned by accident (doing a programming assignment) that the MS-DOS C++ graphics driver would crash the monitoring software...that was a fun time.

In college we had some other classroom management system, I know it had similar features (we had a teacher call someone out for not paying attention one time by pushing their videogame out to the whole class) and I know it could also push software and commands to all the workstations (I worked part-time IT and got to use it for applying updates when Conficker happened).

I would assume all company computers have either PC monitoring or internet-monitoring at the very least.

EDIT:I guess also here in the US it's probably less of an issue for the student over "consent" because effectively from when you leave for the schoolbus until you arrive home the school is functioning as the parent/guardian and can do basically whatever they want for searching stuff just like a parent could. Whether that's ethical to treat kids like little criminals is an unrelated issue to the legality of it over here.

And yes, at home I was subject to monitoring too, if I wanted to get on "the family computer" I had to ask my parents and then if I wanted to get on the internet they'd have to put in the password to connect to the internet. That didn't really seem unreasonable, basically all the time the answer was yes as long as it wasn't time to do chores or eat or go to bed.

Wow. I mean, I can't see ANY problems with monitoring every childs keystrokes. They are sure to properly secure all potential passwords they snoop up, right?

When I was in school they specifically forbid us from using email, chat, or myspace (the only real social network at the time) and all those sites were also blocked (though people figured out they could PING it and get the IP which wasn't blocked).

As for the school login, they didn't let us assign our own password, it had to be the month/year you were born (e.g. September 1988 would be 0988) or something like that.

The problem here is the high potential to capture passwords, including ones unrelated to school infrastructure. Even if these logs are stored in a secure fashion, it now creates a failure of non-repudiation. Some number of people have access to those logs, and therefore have the capability to imitate a user using the captured credentials. Doesn't matter if they pinky-swear to never, ever abuse this configuration. The security risk exists, and someone else might gain unauthorized access.

I remember in high school we had a program "LAN School Monitor" that popped up when you logged in saying it was being monitored. They could do an overview, full screen view of 1 student, remote-control, lock keyboard/mouse/monitor, and push out video over top of what you were doing. At one point I wondered what it could do so I googled the company that was in the pop-up warning and found their website...being unable to figure out how to navigate I tried adding "/downloads" to the URL and ended up getting in trouble for finding all the manuals, trials, and full-versions of all the software and the school thought their server got hacked they refused to believe it was all just "out there" on the web for anyone to find. You knew you were being watched because the mouse would "flicker" when it was polling the screen. We also learned by accident (doing a programming assignment) that the MS-DOS C++ graphics driver would crash the monitoring software...that was a fun time.

Link to article: http://www.ihstattler.com/blog/2015/06/ ... -security/I remember LAN school fondly. The teacher bragged about how it logged keystrokes and everyone was appalled by how sketchy that was. A few people ended up finding that the log file was not only stored locally, but not even really encrypted. The text file was stored in program files and used a f*cking substitution cipher for security. So all your passwords and login details were store in a text file that anyone can access, secured with just a simple substitution cipher. LAN school is a joke.

The Government's 2016 Statutory Guidance on Keeping Children Safe in Education is really clear on this, and the schools have no choice but to comply with it.

The quote that has been used to push these things lately says, "As schools and colleges increasingly work online, it is essential that children are safeguarded from potentially harmful and inappropriate online material. As such, governing bodies and proprietors should ensure appropriate filters and appropriate monitoring systems are in place".

This is taken to mean that schools have a duty to monitor the student's internet usage, because not doing so would put the school directly in the firing line should something happen.

Don't blame the schools, it's a massive headache for those responsible, particularly when it comes to keystroke monitoring, because of the scunthorpe effect.

Wow. I mean, I can't see ANY problems with monitoring every childs keystrokes. They are sure to properly secure all potential passwords they snoop up, right?

Having worked in educational IT, I would 100% trust any school to properly secure the personal data of students in its care.

...

/s

Really? Having been to school, admittedly a little while ago, I would have no faith in the under qualified people put in charge of IT infrastructure. We were constantly getting around and finding bugs in any software that was trying to limit what you could do on the computers.

Wow. I mean, I can't see ANY problems with monitoring every childs keystrokes. They are sure to properly secure all potential passwords they snoop up, right?

Having worked in educational IT, I would 100% trust any school to properly secure the personal data of students in its care.

...

/s

Really? Having been to school, admittedly a little while ago, I would have no faith in the under qualified people put in charge of IT infrastructure. We were constantly getting around and finding bugs in any software that was trying to limit what you could do on the computers.

Wow. I mean, I can't see ANY problems with monitoring every childs keystrokes. They are sure to properly secure all potential passwords they snoop up, right?

Having worked in educational IT, I would 100% trust any school to properly secure the personal data of students in its care.

...

/s

I work in Educational IT in the UK and I can't really say you're wrong, though I can give my view on why I do agree.

A lot of the Education Authorities in the UK farm out IT contracts to third party vendors, often for long, long contracts and the third party vendors are often woefully behind the times when it comes to product updates, especially fully managed IT solutions with off-site support. Before I started my current post 5 years ago, I agreed to take on a short-term contract providing on site IT to a local high school. In 2011, they were running XP and Server 2000. And it wasn't being patched - not even close. More annoying on a personal level was the amount of access I was permitted to IT systems (i.e - basically, next to none) despite it being in the contract that on-site IT should have full access - eventually had to run a Hirens Boot CD to get into one of the 2k servers to fix shared folder access that took all of 10 minutes to sort (But 3rd party vendor had marked as 72 hour response and were probably going to take a few hours and charge £70+ per hour to resolve).

My own job is software development in the FE sector where we've been clawing back a lot of work from third-parties and developing our own solutions while liaising with security vendors for security testing and ensuring we run a tight ship as much as possible. I can happily say that we've never been in the news for a data breach (touch wood) despite an active student base of around 40000. We're also fortunate that we have the budget for a good IT services team who take security seriously.

Having said that, we still run student monitoring software. We have to. Have you ever seen what teenagers will do on the internet when they think nobody is watching?!

Except keylogging is done. I spent several months doing IT support in Junior schools, and the keylogging software was called 'Policy Central' ( http://www.futuredigital.co.uk/ )

"Effective from 5th September 2016, all schools are now required, by law, to have an online monitoring system in place in order to safeguard children against potential risk in the school's ICT environment. "

It captures every keystroke, and then looks for keywords, and alerts. One school had a family under scrutiny because their child had searched for extremist material. Policy Central however doesn't just monitor web traffic. Type any of the trigger words into any app and it alerts.

I know in every primary school I was in such software was used (I'm in the US though, with a lot more lax data protection laws). In fact, pretty much every classmate I had knew it was in use, and when we went to the computer lab we'd all try to see if we could grab the "teacher" computer if it was in line with the rest instead of off by itself so we had the teacher edition of the program.

From memory of me being a troll with it, the program in use in my school let you spy on everyone's desktops in the lab simultaneously, broadcast out messages, and take control of single computers. I'm unsure if it was capable of keylogging, but I would guess that it was. Internet access monitoring and logging was performed by something at the gateway, so I don't know what the capabilities of that were.

Really? Having been to school, admittedly a little while ago, I would have no faith in the under qualified people put in charge of IT infrastructure. We were constantly getting around and finding bugs in any software that was trying to limit what you could do on the computers.

I doubt you did. The keylogging software is hidden way out of sight of prying users, the Internet proxy is your only way out, and is filtered, blacklisted and logged, and the sensitive data about students is held on a separate SIMS server to which you do not have access.

Except keylogging is done. I spent several months doing IT support in Junior schools, and the keylogging software was called 'Policy Central' ( http://www.futuredigital.co.uk/ )

"Effective from 5th September 2016, all schools are now required, by law, to have an online monitoring system in place in order to safeguard children against potential risk in the school's ICT environment. "

It captures every keystroke, and then looks for keywords, and alerts. One school had a family under scrutiny because their child had searched for extremist material. Policy Central however doesn't just monitor web traffic. Type any of the trigger words into any app and it alerts.

I was disagreeing with that practice specifically, not refuting its existence. I don't have a problem with monitoring in general, but keyloggers create a significant security risk. Sorry for the confusion.

Really? Having been to school, admittedly a little while ago, I would have no faith in the under qualified people put in charge of IT infrastructure. We were constantly getting around and finding bugs in any software that was trying to limit what you could do on the computers.

Speaking as someone who works in a school IT department...

We're not all idiots or under or unqualified. However, there admittedly are a lot that are. This is mainly because schools often are either too broke or too tight to pay decent wages for their IT techs. The academy chain that I work for in London recently put out a job advert for an IT tech. the wage was £20k/year. You are not going to get anyone worth having for that money, especially in London.

AFAIK this has been standard procedure in K-12 US public schools since computers existed. Just in my personal experience, from kindergarten onward there was always an un-clickable taskbar icon for a "logging" program of some kind nestled between the printer icon and the antivirus icon. Everyone just kinda accepted that they were being monitored. A few years ago the district put a disclaimer on the windows login screen about "zero expectation of privacy while on-network", but before that there was no warning.

Actually, just recently I was told that my district was putting video screen loggers on all school-owned Chromebooks. Not sure what they're going to do with the petabytes of video data that's going to produce over the course of each year (we've got 150,000 kids in the district and we're getting pretty close to a 1:1 student:Chromebook ratio) but that's not my problem.

Really? Having been to school, admittedly a little while ago, I would have no faith in the under qualified people put in charge of IT infrastructure. We were constantly getting around and finding bugs in any software that was trying to limit what you could do on the computers.

I doubt you did. The keylogging software is hidden way out of sight of prying users, the Internet proxy is your only way out, and is filtered, blacklisted and logged, and the sensitive data about students is held on a separate SIMS server to which you do not have access.

You were not l33t. Sorry.

You're way overestimating the technical competence of people who set things up for schools.

At my school, the folder containing the files that were imaged onto the hard drives of the PCs to re-ghost them was a world-writable shared folder. We used to use it to pass files around without the teachers spotting them in the normal shared folders. Which had the side effect of copying the files to every hard drive, if you didn't remember to delete them when you were done.

Granted, it's not the same as getting records for the logging software. But it's not such a stretch to think that other schools had similar security lapses there.

I moved cities, in NY State, USA last year. My kids in their new high school were assigned iPads to use in class and take home for schoolwork, etc.

We had to sign an use policy that had many provisions such as fees for missing cords ($50?!) etc. Basically all wording to protect the school and not the child or family.

So I tried multiple times to contact the school and get an answer on whether the device monitors any activity on a home or private wireless network, and more importantly, once it is allowed to see network on my traffic, does it snoop any of the traffic not intended for the device?

Several phone calls and emails went unanswered. The people with whom I did speak passed the buck and said I would receive a call from another staff member at a later time.

I never did get my questions answered and I never did allow those devices to connect to my home Wi-Fi.

Really? Having been to school, admittedly a little while ago, I would have no faith in the under qualified people put in charge of IT infrastructure. We were constantly getting around and finding bugs in any software that was trying to limit what you could do on the computers.

Speaking as someone who works in a school IT department...

We're not all idiots or under or unqualified. However, there admittedly are a lot that are. This is mainly because schools often are either too broke or too tight to pay decent wages for their IT techs. The academy chain that I work for in London recently put out a job advert for an IT tech. the wage was £20k/year. You are not going to get anyone worth having for that money, especially in London.

I'm not sure one can actually live in London on that wage. Heck, I was earning more than that as an *intern* three years ago at a tech company in the *North*.

Really? Having been to school, admittedly a little while ago, I would have no faith in the under qualified people put in charge of IT infrastructure. We were constantly getting around and finding bugs in any software that was trying to limit what you could do on the computers.

Speaking as someone who works in a school IT department...

We're not all idiots or under or unqualified. However, there admittedly are a lot that are. This is mainly because schools often are either too broke or too tight to pay decent wages for their IT techs. The academy chain that I work for in London recently put out a job advert for an IT tech. the wage was £20k/year. You are not going to get anyone worth having for that money, especially in London.

I left school more than 10 years ago, they did this even back then. It isn't new or news. The tools are more sophisticated these days and legislation more robust but it's par for the course really. If you log in to Facebook or whatever and they log your password then that's your fault, you weren't supposed to be on it anyway. These aren't the students computers, they're the property of the school or local education authority, you're just borrowing them as part of your studies. I'd be surprised if most of the students don't have a smartphone anyway if they want to do all that other stuff.

This may be controversial, but I don't see a problem with the monitoring that these schools are undertaking.

I had a great six years working in a further education college in the UK, looking after a network infrastructure used by students aged 16 to 18.

16 and 17 year olds are still minors. They are children, and believe me, some of them still behave as such at this age.

Not only did we have a collective legal responsibility to safeguard these children, we also had a moral obligation to teach them that the internet can be a dangerous place, nothing you do on the internet is truly private, and that bullying of any kind is completely unacceptable

We of course had web filters to block access to dangerous and innapropriate content. We also had group policies to prevent access to potentially invasive files such as executable files on external media and we used Sophos antivirus to block access to unapproved installers and programs.

All of these things were useful in preventing access to materials that could harm the students or the network infrastructure, and we didn't face a malware outbreak or other serious incident during the time I worked at the college.

We had a daily report that told us which students had tried to access proxy sites to bypass the protections we had in place. Offenders were called in to the office, not so that we could punish them, but so that we could explain to them in no uncertain terms that using proxy sites = giving your personal details and password to some potentially dodgy characters.

We had classroom management systems in use in the college which would allow staff to monitor students internet usage, general activity, view their screens and monitor keystrokes for certain keywords. To my knowledge, the software in question never logged the users keystrokes, it simply watched out for certain trigger words and alerted the teacher that the student had typed said word.

We had a number of incidents at the college where students were identified to be bullying other students using the IT systems, whether that be through email, social media, or some other means. It is notoriously difficult for victims of bullying to come forward and tell an adult, so having a tool to monitor a students activity whilst on a computer meant for educational use is, in my mind, only a good thing. I know of at least two incidents of bullying that were discovered based purely on the teacher monitoring the students activity using the classroom management software.

I completely understand that everybody has a right to privacy, and reasonable efforts should be taken to protect that privacy. However, I believe there is an overriding requirement to protect the children in our society from the dangers and consequences that they may be unaware of, until such time as they have been educated to understand those dangers and consequences. This applies to everything from crossing the road, to taking drugs, and yes, even using the internet.

Really? Having been to school, admittedly a little while ago, I would have no faith in the under qualified people put in charge of IT infrastructure. We were constantly getting around and finding bugs in any software that was trying to limit what you could do on the computers.

I doubt you did. The keylogging software is hidden way out of sight of prying users, the Internet proxy is your only way out, and is filtered, blacklisted and logged, and the sensitive data about students is held on a separate SIMS server to which you do not have access.

You were not l33t. Sorry.

You're way overestimating the technical competence of people who set things up for schools.

At my school, the folder containing the files that were imaged onto the hard drives of the PCs to re-ghost them was a world-writable shared folder. We used to use it to pass files around without the teachers spotting them in the normal shared folders. Which had the side effect of copying the files to every hard drive, if you didn't remember to delete them when you were done.

Granted, it's not the same as getting records for the logging software. But it's not such a stretch to think that other schools had similar security lapses there.

Amy

Why are you under the impression the teachers would notice your activity? The tecchie would be looking at that, if they thought it worthwhile.

You found a world writable share. Wow. You think you were pulling a fast one, when nobody really cared in the first place. You could have kept under the radar by giving traded files on official shared areas innocuous names like 'HistoryProjectShared.doc'. Nobody would have looked at that, entirely because of all the other safeguards in place (Keylogging, Internet filtering, blocking, and history scanning, Malware and AntiVirus protection. )

We _do not_ log students' keystrokes. We do not read their email. I don't know of any comparable institution that _does_ do either of those things.

However, due to legal requirements around Safeguarding and compliance with PREVENT, we are obliged to keep a watch on, for example, internet activity. We're required to have the ability to investigate how a student (or staff member for that matter, the exact same software is installed on my computer as is installed on every student's computer) uses their computer and emails they've sent and received in the event that we have a particular concern. These are obligations placed on us by various legal frameworks, simple as that.

We _do not_ log students' keystrokes. We do not read their email. I don't know of any comparable institution that _does_ do either of those things.

Policy Central effectively logs keystrokes, by looking for keywords typed, and alerting if certain words or phrases are used. I know this alerting caused a family to be surveilled as part of an anti-radicalisation investigation. So it is being used. You say you work in a college, is that educating adults? The UK safeguards deal with minors, so you may escape the requirements.

Policy Central effectively logs keystrokes, by looking for keywords typed, and alerting if certain words or phrases are used. I know this alerting caused a family to be surveilled as part of an anti-radicalisation investigation. So it is being used.

But not by us. I cannot comment on the actions of other establishments, except to say that they have probably looked at the same legal advice and interpretations of the laws and 'best practice' we have and made a "better safe than sorry" determination.

You say you work in a college, is that educating adults? The UK safeguards deal with minors, so you may escape the requirements.

We have some students that are under 18. We're required to be concerned about safeguarding (as you can be with adults incidentally, if they're likely to be classed as 'vulnerable'). PREVENT applies to education for all ages and types of student, as far as I can tell.

This policy is perfectly reasonable, if only because it is precisely what employers do.Learning that the owner of the computer you are forced to use has control over it and knows what you do is a valuable preparation for the workplace.